Follow ISA Cybersecurity on LinkedIn for the latest cybersecurity news
Weekly CyberTip: What is “Living off the Land”?
Living off the Land (LOTL) is a cyber attack technique increasingly used by sophisticated threat actors. Early in an attack, rather than deploying their own hacking software or scripts (which may raise the attention of EDR or SIEM solutions) some hackers will restrict themselves to the use of legitimate services and libraries already in place on the victim’s networks. Using (or rather, abusing) authorized, pre-existing tools until the last moment before deploying malicious code is less likely to be noticed by monitoring systems, and allows threat actors to lurk and gather intelligence quietly before striking.
OIPC releases report on Newfoundland & Labrador healthcare cyber incident
On May 24, the Office of the Information and Privacy Commissioner (OIPC) of Newfoundland and Labrador released its report on the investigation of the 2021 cyber attack on the province’s health authorities. According to the report, “significant cyber security vulnerabilities existed for some time prior to the cyber attack, that these vulnerabilities were known within the Centre for Health Information when it took over responsibility for cyber security from the Regional Health Authorities, and that the Department was informed in 2020, over a year prior to the cyber attack, that a threat assessment rated the chances of a cyber attack as ‘high’ and the impact of such an event as ‘high.’”
The investigation found that “efforts to reduce these vulnerabilities prior to the cyber attack were inadequate. The resulting cyber attack was the largest privacy breach ever experienced in this province, which saw the personal health information or personal information of the vast majority of our population taken by malicious threat actors. It was also one of the largest ransomware attacks in Canada to date.”
The report contains 34 findings, and provides six recommendations for the new Provincial Health Authority. On April 1, 2023, the new authority (called Newfoundland and Labrador Health Services), replaced the four former regional health authorities and the Newfoundland and Labrador Centre for Health Information, who were victimized in the 2021 incident.
In the government response to the report, also issued May 24, the Ministry of Justice and Public Safety confirmed that the province will review the key findings and recommendations and provide a formal response to the Privacy Commissioner’s Office.
CCCS issues warning about state-sponsored cyber threat
On May 24, the Canadian Centre for Cyber Security issued a press release “warning Canadians of a significant threat from a state-sponsored cyber threat actor associated with the People’s Republic of China” called Volt Typhoon. While the attackers have been focused on critical infrastructure targets in the United States (no Canadian victims have been reported as yet), the release reminds us that the close integration of western economies and infrastructure means that an attack on one party can have implications for others.
The press release draws attention to a recent joint cybersecurity advisory co-published by the “Five Eyes” (Canada, the U.K., Australia, New Zealand, and the United States), which provides detailed information about host artifacts leveraged by the attackers, indicators of compromise, and mitigation strategies to use against Volt Typhoon.
“One of the actor’s primary tactics, techniques, and procedures (TTPs) is living off the land, which uses built-in network administration tools to perform their objectives. This TTP allows the actor to evade detection by blending in with normal Windows system and network activities, avoid endpoint detection and response (EDR) products that would alert on the introduction of third-party applications to the host, and limit the amount of activity that is captured in default logging configurations. Some of the built-in tools this actor uses are: wmic, ntdsutil, netsh, and PowerShell,” warns the advisory.
Medical societies in Canada and U.S. confirm cyber attacks
According to a May 23 article in IT World Canada, a representative from the Canadian Nurses Association (CNA) has now confirmed that the organization suffered a cyber incident on April 3.
“We can confirm having experienced an IT security incident on April 3, 2023 which impacted some of our systems,” Alexandre Bourassa, Public Affairs Lead at CNA, wrote in an email to IT World Canada. “The incident did not impact our operations,” he added, although there are concerns of a potential data breach: attention was drawn to the incident when reports surfaced on Twitter that the Snatch ransomware gang had added CNA to their victim list on their dark website.
The Medical Society of the State of New York (MSSNY) also appeared on the Snatch leak site around the same time. MSSSNY had revealed a cyber attack on April 8, with timing similar to that of the CNA incident. At the time, they advised that they had restored functionality “back to normal” after the incident, and that their systems and data are “clean and operating as usual.”
Each organization is independently continuing their investigation into potential data exfiltration, particularly in light of the alleged data thefts by the Snatch gang.
Municipalities under attack: City of Augusta, Georgia faces cyber incident
On May 24, City of Augusta Mayor Garnett Johnson issued a statement confirming that the city’s systems were the “victim of unauthorized access” in an incident three days earlier. Coincidentally, the city’s systems had been disrupted the previous week as well, though the mayor insisted the incidents were unrelated.
Various municipal functions including bill payment handling, bookings, and penal system services were disrupted. The city continues to “investigate the incident, to confirm its impact on our systems, and to restore full functionality to our systems as soon as possible. We are also actively investigating to determine whether any sensitive data may have been impacted,” according to the statement.
Meanwhile, analysts at Bleeping Computer report that the notorious ransomware operation BlackByte was involved in the incident, with the happened, with the gang posting a 10Gb data sample allegedly taken during the attack on the city. The dark web leak site indicates a $400K (all figures USD) ransom to delete the data, and a $300K price tag for criminals to purchase it.
On May 25, the city issued a statement denying rumours that a $500M ransom had been demanded, but made no mention of the possible data theft or the significantly lower pricing listed on the BlackByte site.
